npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

rest-bac

v1.0.0

Published

REST based access control list middleware for expressjs

Downloads

3

Readme

REST-bac

NPM Version Travis Build

A REST based access control list middleware for Express applications.

This middleware allows to protect each method (GET,POST...) of any Express path (all the Express-style paths) with a set of custom roles specified in a configuration JSON.

Install

In your project root type npm install rest-bac --save

Usage

To use the middleware you need an express application and a rest-bac configuration JSON. The express application should already provide a middleware or some other logic that set the req.user.roles property with an array of roles (string).

NB: the module protect exclusively the paths specified in the REST-BAC configuration JSON. If a business logic route path doesn't have a catching rest-bac path rule you have an Unhautorized 401 response.

JSON Configuration

The following configuration allow a "user" role to do GET requests to /book and all the paths under /book/* that don't match the path /book/admin/. An "admin" role can do POST and GET requests to /book and all its descendant paths /book/

{
  "/book(/*)?": {
    "get": ["user", "admin"],
    "post": ["admin"]
  },

  "/book/admin/*": {
    "action": "deny",
    "get": ["user"]
  },

  "/author(/*)?": {
      "get": ["user","admin"]
  }
}

Initialization

To initialize the rest role based access control simply use

var restbac = require('rest-bac');

// some code to initialize the express app and the rest-bac configurations

// app is the expressjs application
// rbac-config is the JSON (parsed) object for the configuration
// prefix-path is an optional string to be prefixed to all the paths specified in the rbac-config
restbac(app, rbac-config, prefix-path)

Full Example

This is a full example to better understand how to use the middleware.

Server Application Code

This code can be found at /test/server.js. You can run and test it directly with node test/server.js.

"use strict";

var express = require('express');
var restbac = require('rest-bac');

// some code to initialize the express app and the rest-bac configurations
var app = express();

// before use rest-bac the express app need to extract some roles from the request
// and put them in the req.user.roles array
app.use(function (req, res, next) {
    req.user = {};
    var auth = req.get('Authorization');
    if (typeof auth != "undefined")
        req.user.roles = auth.split(" ");
    else
        req.user.roles = [];
    next();
});

var config = {
    "/book(/*)?": {
        get: ["user", "admin"],
        post: ["admin"]
    },
    "/book/admin/*": {
        action: "deny",
        get: ["user"]
    }
};

// setup the rest methods protection --> paths in config are prefixed with "/api/v1"
restbac(app, config, "/api/v1");

// now we can define some business logic API routes
app.get("/api/v1/book/:id", function (req, res, next) {
    // user and admin roles can reach this function
    res.send(req.params.id);
});
app.post("/api/v1/book", function (req, res, next) {
    // only the admin can reach this function
    res.send("POST OK");

});
app.get("/api/v1/book/admin/some", function (req, res, next) {
    // only the admin can reach this function
    res.send("admin path");
});


// a simple error handler to catch authorization error
app.use(function (err, req, res, next) {

    // rest-bac authorization error propagate an Error object with a 401 status code

    res.status(err.status || 500);
    res.json({
        message: err.message
    });

});

var server = app.listen(3000, function () {
  var host = server.address().address;
  var port = server.address().port;
  console.log('Example app listening at http://%s:%s', host, port);
});

Some requests

Valid request for a user role

GET /api/v1/book/123 HTTP/1.1
Host: 127.0.0.1:3000
Authorization: user


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 3

123

Invalid role cause a 401 with a json error message

GET /api/v1/book/123 HTTP/1.1
Host: 127.0.0.1:3000
Authorization: invalid


HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Content-Length: 63

{"message":"Unhautorized: Invalid role or path not configured"}

The user cannot request a path under /api/v1/book/admin/*

GET /api/v1/book/admin/some HTTP/1.1
Host: 127.0.0.1:3000
Authorization: user

HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Content-Length: 63

{"message":"Unhautorized: Invalid role or path not configured"}
GET /api/v1/book/admin/some HTTP/1.1
Host: 127.0.0.1:3000
Authorization: admin


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 10

admin path